Since the 2004 amendments to the Federal Sentencing Guidelines for Organizations moved risk assessments and program assessments from the realm of best practice to what can be seen as the territory of de facto requirements, there has been a fair bit of confusion regarding the distinctions between these two C&E program components.
In principle, a C&E risk assessment helps an organization understand not only what its risks are, but how to mitigate them. A program assessment, of course, tells the company how well the program is functioning. So, risk assessment can be seen as more design oriented, and a program assessment has more of an operational focus.
But in practice, the two overlap because one cannot assess risks without understanding how well a C&E program is mitigating them (i.e., the concept of “net risk”) and one cannot measure program efficacy without meaningful reference to an organization’s C&E risks. Moreover, some program measures will clearly serve both risk and program assessment purposes. For instance, C&E-related questions on employee surveys (e.g., whether the respondent agrees with the statement, “My manager acts with integrity”) can be useful both for program assessment purposes (that is, assessing how well the program is impacting behavior) and also risk assessment ones (that is, variations in responses among business units and/or geographies can help an organization determine where its risks are, and hence where additional C&E measures – such as training or auditing – are warranted).